What happened:
I have two domain in my OVH provider : other.com and corp.com
I want to filter on subdomain only (domain share with multiple cluster, security etc), so I have a filter like
domainFilters:
- frtcld.com
- pen-euw1-m.corp.com
As pen-euw1-m.corp.com is not a root domain, it's not detected and record creation fail
What you expected to happen:
domainFilters work for OVH subdomain
How to reproduce it (as minimally and precisely as possible):
- Use OVH provider
- Use domainFilter for subdomain
- Create record
Configuration :
ovh:
provider: ovh
sources:
- crd
- service
- traefik-proxy
## Using extraArgs because is templating
extraArgs:
traefik-enable-legacy: null
txt-owner-id: "cloud-{{ $.Values.global.id_cluster }}"
txt-wildcard-replacement: "wildcard"
txt-prefix: _cloud-extdns.
aws-prefer-cname: null
## -- Public load balancer cname
default-targets: nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com
policy: sync
registry: txt
annotationFilter: external-dns.corp.io/scope in (ovh)
domainFilters:
- other.com
- pen-euw1-m.corp.com
serviceMonitor:
enabled: true
Relevant logs :
time="2026-05-28T09:25:55Z" level=info msg="config: {APIServerURL: KubeConfig: RequestTimeout:30s KubeAPIRequestTimeout:30s KubeAPIQPS:5 KubeAPIBurst:10 DefaultTargets:[nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com[] GlooNamespaces:[gloo-system[] SkipperRouteGroupVersion:zalando.org/v1 Sources:[crd service traefik-proxy[] Namespace: AnnotationFilter:external-dns.corp.io/scope in (ovh) AnnotationPrefix:external-dns.alpha.kubernetes.io/ LabelFilter: IngressClassNames:[] FQDNTemplate: TargetTemplate: FQDNTargetTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false IgnoreNonHostNetworkPods:false IgnoreIngressTLSSpec:false IgnoreIngressRulesSpec:false ListenEndpointEvents:false ExposeInternalIPV6:false GatewayName: GatewayNamespace: GatewayLabelFilter: GatewayListenerSets:false Compatibility: PodSourceDomain: PublishInternal:false PublishHostIP:false AlwaysPublishNotReadyAddresses:false ConnectorSourceServer:localhost:8080 Provider:ovh ProviderCacheTime:0s CreatePTR:false GoogleProject: GoogleBatchChangeSize:1000 GoogleBatchChangeInterval:1s GoogleZoneVisibility: DomainFilter:[frtcld.com pen-euw1-m.corp.com[] DomainExclude:[internal.frtcld.com[] RegexDomainFilter: RegexDomainExclude: ZoneNameFilter:[] ZoneIDFilter:[] TargetNetFilter:[] ExcludeTargetNets:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType: AWSZoneTagFilter:[] AWSAssumeRole: AWSProfiles:[] AWSAssumeRoleExternalID: AWSBatchChangeSize:1000 AWSBatchChangeSizeBytes:32000 AWSBatchChangeSizeValues:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AWSPreferCNAME:true AWSZoneCacheDuration:0s AWSSDServiceCleanup:false AWSSDCreateTag:map[] AWSZoneMatchParent:false AWSDynamoDBRegion: AWSDynamoDBTable:external-dns AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: AzureSubscriptionID: AzureUserAssignedIdentityClientID: AzureActiveDirectoryAuthorityHost: AzureZonesCacheDuration:0s AzureMaxRetriesCount:3 BatchChangeSize:200 BatchChangeInterval:1s CloudflareProxied:false CloudflareCustomHostnames:false CloudflareDNSRecordsPerPage:100 CloudflareDNSRecordsComment: CloudflareCustomHostnamesMinTLSVersion:1.0 CloudflareCustomHostnamesCertificateAuthority:none CloudflareRegionalServices:false CloudflareRegionKey: CoreDNSPrefix:/skydns/ CoreDNSStrictlyOwned:false AkamaiServiceConsumerDomain: AkamaiClientToken: AkamaiClientSecret: AkamaiAccessToken: AkamaiEdgercPath: AkamaiEdgercSection: OCIConfigFile:/etc/kubernetes/oci.yaml OCICompartmentOCID: OCIAuthInstancePrincipal:false OCIZoneScope:GLOBAL OCIZoneCacheDuration:0s InMemoryZones:[] OVHEndpoint:ovh-eu OVHApiRateLimit:20 OVHEnableCNAMERelative:false PDNSServer:http://localhost:8081 PDNSServerID:localhost PDNSAPIKey: PDNSSkipTLSVerify:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:sync Registry:txt TXTOwnerID:cloud-pen-euw1-m TXTOwnerOld: TXTPrefix:_cloud-extdns. TXTSuffix: TXTEncryptEnabled:false TXTEncryptAESKey: Interval:1m0s MinEventSyncInterval:5s MinTTL:0s Once:false DryRun:false UpdateEvents:false LogFormat:text MetricsAddress::7979 LogLevel:debug TXTCacheInterval:0s TXTWildcardReplacement:wildcard ExoscaleEndpoint: ExoscaleAPIKey: ExoscaleAPISecret: ExoscaleAPIEnvironment:api ExoscaleAPIZone:ch-gva-2 CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] ResolveServiceLoadBalancerHostname:false RFC2136Host:[] RFC2136Port:0 RFC2136Zone:[] RFC2136Insecure:false RFC2136GSSTSIG:false RFC2136KerberosRealm: RFC2136KerberosUsername: RFC2136KerberosPassword: RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false RFC2136MinTTL:0s RFC2136LoadBalancingStrategy:disabled RFC2136BatchChangeSize:50 RFC2136UseTLS:false RFC2136SkipTLSVerify:false NS1Endpoint: NS1IgnoreSSL:false NS1MinTTLSeconds:0 TransIPAccountName: TransIPPrivateKeyFile: ManagedDNSRecordTypes:[A AAAA CNAME[] ExcludeDNSRecordTypes:[] GoDaddyAPIKey: GoDaddySecretKey: GoDaddyTTL:0 GoDaddyOTE:false OCPRouterName: PiholeServer: PiholePassword: PiholeTLSInsecureSkipVerify:false PiholeApiVersion:5 PluralCluster: PluralProvider: WebhookProviderURL:http://localhost:8888 WebhookProviderReadTimeout:5s WebhookProviderWriteTimeout:10s WebhookServer:false TraefikEnableLegacy:true TraefikDisableNew:false NAT64Networks:[] ExcludeUnschedulable:true EmitEvents:[] ForceDefaultTargets:true UnstructuredResources:] PreferAlias:false}"
time="2026-05-28T09:25:55Z" level=info msg="GitCommitShort=unknown, GoVersion=go1.26.1, Platform=linux/amd64, UserAgent=ExternalDNS/v20260406-v0.21.0"
time="2026-05-28T09:25:56Z" level=info msg="OVH: 1 zones found"
time="2026-05-28T09:25:56Z" level=debug msg="OVH: Getting records for other.com from API"
time="2026-05-28T09:25:59Z" level=debug msg="Endpoints generated from corp-playground/extdns-mft-traefik-whoami-websecure: [tw-websecure.pen-euw1-m.corp.com 0 IN CNAME true []]"
time="2026-05-28T09:25:59Z" level=debug msg="OVH: changes CREATE dns:\"tw-websecure.pen-euw1-m.corp.com\" / targets:nlb-aws-eks-pen-euw1-m-pub-1234.elb.eu-west-1.amazonaws.com / type:CNAME"
time="2026-05-28T09:25:59Z" level=debug msg="OVH: changes CREATE dns:\"_cloud-extdns.cname-tw-websecure.pen-euw1-m.corp.com\" / targets:\"heritage=external-dns,external-dns/owner=cloud-pen-euw1-m,external-dns/resource=ingressroute/corp-playground/extdns-mft-traefik-whoami-websecure\" / type:TXT"
time="2026-05-28T09:25:59Z" level=error msg="Failed to do run once: soft error\nrecord \"tw-websecure.pen-euw1-m.corp.com\" have not found matching DNS zone in OVH provider (consecutive soft errors: 1)"
Anything else we need to know?:
Seems to be the same as this one for AWS : #2040
Environment:
- External-DNS version (use
external-dns --version): image: registry.k8s.io/external-dns/external-dns:v0.21.0
- DNS provider: OVH
- Others:
Checklist
What happened:
I have two domain in my OVH provider : other.com and corp.com
I want to filter on subdomain only (domain share with multiple cluster, security etc), so I have a filter like
As pen-euw1-m.corp.com is not a root domain, it's not detected and record creation fail
What you expected to happen:
domainFilters work for OVH subdomain
How to reproduce it (as minimally and precisely as possible):
Configuration :
Relevant logs :
Anything else we need to know?:
Seems to be the same as this one for AWS : #2040
Environment:
external-dns --version): image: registry.k8s.io/external-dns/external-dns:v0.21.0Checklist
or have checked the staging image to confirm the bug is still reproducible
kubectl get <resource> -o yamloutput includingstatus